12-29-2006, 07:35 AM
|
|
Newbie
|
|
Join Date: Nov 2006
Location: England, UK
Posts: 21
|
|
Unauthorised login attempts
Hi,
In my Plesk RHEL4 VPS logs recently i noticed the following, just wondering what it means.
I have put xxx to modify the usernames. ps. nothing to do with the adult industry.
Previously I had a lot more of these entries, but then i changed the ssh port, and changed the password, and disabled root access too.
Dec 24 11:47:18 xxhost sshd[3592]: reverse mapping checking getaddrinfo for h
ost-212-98-209-14.borusantelekom.com failed - POSSIBLE BREAKIN ATTEMPT!
Dec 24 11:47:21 xxhost sshd[3668]: reverse mapping checking getaddrinfo for h
ost-212-98-209-14.borusantelekom.com failed - POSSIBLE BREAKIN ATTEMPT!
Dec 24 11:47:24 xxhoss sshd[3746]: reverse mapping checking getaddrinfo for h
ost-212-98-209-14.borusantelekom.com failed - POSSIBLE BREAKIN ATTEMPT!
Dec 24 11:47:28 xxhost sshd[3825]: reverse mapping checking getaddrinfo for h
ost-212-98-209-14.borusantelekom.com failed - POSSIBLE BREAKIN ATTEMPT!
Today.....
Dec 29 09:01:04 xxxhost crond(pam_unix)[20453]: session closed for user root
Dec 29 09:10:01 xxxhost crond(pam_unix)[8054]: session opened for user root by (uid=0)
Dec 29 09:10:03 xxxhost crond(pam_unix)[8054]: session closed for user root
Dec 29 09:15:01 xxxhost crond(pam_unix)[20094]: session opened for user root by (uid=0)
Dec 29 09:15:01 xxxhost crond(pam_unix)[20094]: session closed for user root
Dec 29 09:20:02 xxxhost crond(pam_unix)[32582]: session opened for user root by (uid=0)
This one is more disturbing.
Dec 26 18:29:51 carthosts sshd[23834]: Accepted password for xxxftp from 75.4.172.100 port 54147 ssh2
I have checked with rkhunter and chkrootkint0.47, all seems fine.
Any advice or tips would be appreciated.
Thanks,
Av
|
12-29-2006, 08:01 AM
|
|
Aspiring Evangelist
|
|
Join Date: Dec 2002
Location: Chicago
Posts: 354
|
|
In all honesty, getting probed is a daily occurance for any server on the internet, even ones with different ports. What I tell many people to do is this:
login as root
nano .bash_profile
add the following at the bottom:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@emailaddress.com
save.
(script from another user on wht, works quite well)
Now it will email you when anyone successfully logs in as root on your server. You may want to disable direct logins as root, and have a wheel user setup, and above all else, just make that password VERY random and even more hard to guess.
__________________
-DPI
Chicago's #1 Datacenter Technician
|
12-29-2006, 09:14 AM
|
|
Newbie
|
|
Join Date: Nov 2006
Location: England, UK
Posts: 21
|
|
Hi,
Thanks for your advice.
I have already setup the email alert, although the who command doesn't give a response on my plesk linux vps. It might be something to do with the Vz / vps setup?
Instead I grep from netstat, and email the hostname of the user, not as good as the ip address, but something is better than nothing.
Not sure about the wheel user setup, what is that about?
I am running, plesk 8.1, linux rhel4 vps.
Regards,
Av
|
12-29-2006, 09:28 AM
|
|
Retired Moderator
|
|
Join Date: Oct 2004
Location: Southwest UK
Posts: 1,159
|
|
The wheel user setup is to prevent root from logging into ssh (there is a config option explicitly for this in /etc/ssh/sshd_config), so you have to log in as a normal user. If you add that user to the wheel group, you can use the su command to change your login to root.
So, root can never login, an attacker has to know the new user you're using, and its password *and* also has to know the root password too. They'll never get in using brute force, whereas if root is allowed direct login, they can repeatedly try over and over again until they stumble across the password.
to create the new user in SSH in the wheel group as well as his own group:
adduser <username> -G wheel
then type
passwd <username>
to set the password.
alternatively the usermod command can be used to add wheel group access to an already existing user.
__________________
Do not meddle in the affairs of Dragons, for you are crunchy and taste good.
|
01-01-2007, 08:53 AM
|
|
Newbie
|
|
Join Date: Nov 2006
Location: England, UK
Posts: 21
|
|
Hi,
Well I have changed the ssh setup, to something that is more secure, hopefully.
I had changed the default port 22 to another port, and disabled root login.
However now I have changed the authentication method:
Changed back to root login, but with 2048 bit public / private key + password.
I login as root, and put in my password key, and i only get authenticated if i also have my private key installed on my personal PC.
Password on its own does not get login, nor does the private key on its own.
So, it should be more secure, as no one but me has the 2048bit key and password too.
Opinions welcome.
Thanks.
Av
|
01-01-2007, 09:34 AM
|
|
LORD OF THE RINGS
|
|
Join Date: Dec 2005
Location: Internet
Posts: 1,317
|
|
Quote:
Dec 24 11:47:18 xxhost sshd[3592]: reverse mapping checking getaddrinfo for h
ost-212-98-209-14.borusantelekom.com failed - POSSIBLE BREAKIN ATTEMPT!
Dec 24 11:47:21 xxhost sshd[3668]: reverse mapping checking getaddrinfo for h
ost-212-98-209-14.borusantelekom.com failed - POSSIBLE BREAKIN ATTEMPT!
|
This warning message is because of the SSH connection from the IP having no A record in the DNS provider. Many of the dialup connections doesn't have that.
Quote:
Dec 29 09:01:04 xxxhost crond(pam_unix)[20453]: session closed for user root
Dec 29 09:10:01 xxxhost crond(pam_unix)[8054]: session opened for user root by (uid=0)
Dec 29 09:10:03 xxxhost crond(pam_unix)[8054]: session closed for user root
Dec 29 09:15:01 xxxhost crond(pam_unix)[20094]: session opened for user root by (uid=0)
|
This is the PAM (Pluggable Authentication module) message which is taken from /var/log/messages. You can see the root login time from these mesages.
Quote:
|
Dec 26 18:29:51 carthosts sshd[23834]: Accepted password for xxxftp from 75.4.172.100 port 54147 ssh2
|
This message shows the IP from which the ssh login happened and the username.
Personally, I don't prefer giving shell access to users other than root. (Changing the SSH port and disabling the direct root access is a good idea). Also, make sure that you are using the latest version of packages like OpenSSH etc etc.
|
01-01-2007, 11:21 AM
|
|
Newbie
|
|
Join Date: Nov 2006
Location: England, UK
Posts: 21
|
|
Hi linuxcares,
Thanks for your reply.
The worrying thing is that the session opening for root i am not sure what that is... i dont think it was me.
Also this line,
Dec 26 18:29:51 carthosts sshd[23834]: Accepted password for xxxftp from 75.4.172.100 port 54147 ssh2
WAS NOT ME... it is not my ip address. And it is a non root user. ( i had set it up like that, as the recommendation was to disable root login, and su to it ! )
I guess I should be more secure now, as I can only login with my private key.
Regards,
Av
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
